4
Selective Timeline of DNSSEC 1987 – DNS Ratified to replace hosts.txt 1990 – DNS Security Flaws Found 1997 – First try at DNSSEC - RFC – Second try at DNSSEC - RFC2535 BIND9 is first DNSSEC capable implementation 2005 – Finalized RFCs Published July 2008 – Kaminsky exploit announced July 2010 – Root signed August 2010 –.edu TLD is signed March 2011 –.com TLD is signed ARIN signed for Reverse DNS

5
DNS BASICS A refresher to get us all on the same page…

6
DNS Records DNS comprised of various resource record (RR) types Primary types: A – map hostnames to IP addresses MX – map a host or domain to a list of mail servers CNAME – specifies an alias for a host PTR – map a IP address to a host name NS – Specifies authoritative name servers for a zone SOA – Specifies authoritative information about a zone Primary name server Domain administrator Serial number Timers related to refreshing the zone DNSSEC will introduce several new record types

10
New Record Types DNSKEY Public side of Private/Public Keyset Key Signing Key Zone Signing Key RRSIG Signed Validation of Resource Record Set DS Delegation Signer Builds Chain of Trust NSEC/NSEC3 Certified Non-existence record

13
Keys Public/Private Keyset Private Key used to sign records Should be kept in a secure location (not on live DNS servers) Public Key used to check signatures Must be 512 to 4096 bits for DNSSEC Several Algorithms available Zone Signing Key used to sign zones Key Signing Key used to sign ZSK record Generally larger & more secure Cryptographic Digest of KSK is sent upstream DS Record Verifies Authority of KSK

23
BIND Versions/Restrictions We recommend using the most up-to-date version of your preferred DNS software Updates often pertain to security issues Preliminary DNSSEC support introduced in BIND 8.2 Recommended version of BIND 9.7 for all capabilities Windows Server 2003 has preliminary support Slave support only Must be activated in Registry Windows Server 2008 R2 has full support

26
named.conf Edits – Authoritative Servers Add “dnssec-enable yes” to the options section For your first time signing, make sure you increment your serial number! After signing your zones, point to the new signed zones Same names as your old zone files, but with “.signed” appended

27
named.conf Edits – Recursive Servers To start validating results add: “dnssec-validation yes” You also need to get the KSK for root into your config. As of this presentation, it would look like this for BIND >= 9.7: managed-keys { "." initial-key "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };

30
Key rotation - ZSK 1. Generate and publish new ZSK one TTL before planned rotation, but don’t sign the zone with it! 2. After TTL expiration, sign with new ZSK 1. Leave old DNSKEY record in zone for 1 TTL cycle 2. Allows cached signed records to be verified (Signatures created with old key need time to expire) Here’s one option: Have 3 ZSK’s in your zone. The previous, current and next. Your zones will always contain the necessary keys.

31
Key rotation - KSK 1. Generate and publish new KSK at least one TTL before planned rotation and sign ZSK records with both the old and the new keys. 2. Make sure you send your new DS record upstream! 3. After TTL expiration, remove the old DS record from your upstream provider and remove the old KSK from your zone files

32
VERIFICATION

33
Verification – dnsviz.net All ClearTrust Issue

34
DNSSEC Debugger – Verisign Labs Everything looks good This shows a problem with the keys